Начало Каталог Помощ
Вход
erkanisik
/
core
огледало от https://github.com/pisilinux/core.git
Наблюдаван 1
Харесван 0
Разклонения 0
Файлове Задачи 0 Уики
Клон: master
Клонове Маркери
core
/
system
/
base
/
polkit
/
files
/
CVE-2021-4115.patch

CVE-2021-4115.patch 2.0 KB
Постоянна връзка История Директен файл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172 
  1. diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
    2. 

  2. index 8ed1363..2fbf5f1 100644
    3. 

  3. --- a/src/polkit/polkitsystembusname.c
    4. 

  4. +++ b/src/polkit/polkitsystembusname.c
    5. 

  5. @@ -62,6 +62,10 @@ enum
    6. 

  6.    PROP_NAME,
    7. 

  7.  };
    8. 

  8.  
    9. 

  9. +
    10. 

  10. +guint8 dbus_call_respond_fails;      // has to be global because of callback
    11. 

  11. +
    12. 

  12. +
    13. 

  13.  static void subject_iface_init (PolkitSubjectIface *subject_iface);
    14. 

  14.  
    15. 

  15.  G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT,
    16. 

  16. @@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject              *src,
    17. 

  17.    if (!v)
    18. 

  18.      {
    19. 

  19.        data->caught_error = TRUE;
    20. 

  20. +      dbus_call_respond_fails += 1;
    21. 

  21.      }
    22. 

  22.    else
    23. 

  23.      {
    24. 

  24. @@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus
    25. 

  25.    tmp_context = g_main_context_new ();
    26. 

  26.    g_main_context_push_thread_default (tmp_context);
    27. 

  27.  
    28. 

  28. +  dbus_call_respond_fails = 0;
    29. 

  29. +
    30. 

  30.    /* Do two async calls as it's basically as fast as one sync call.
    31. 

  31.     */
    32. 

  32.    g_dbus_connection_call (connection,
    33. 

  33. @@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus
    34. 

  34.  			  on_retrieved_unix_uid_pid,
    35. 

  35.  			  &data);
    36. 

  36.  
    37. 

  37. -  while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
    38. 

  38. -    g_main_context_iteration (tmp_context, TRUE);
    39. 

  39. +  while (TRUE)
    40. 

  40. +  {
    41. 

  41. +    /* If one dbus call returns error, we must wait until the other call
    42. 

  42. +     * calls _call_finish(), otherwise fd leak is possible.
    43. 

  43. +     * Resolves: GHSL-2021-077
    44. 

  44. +    */
    45. 

  45.  
    46. 

  46. -  if (data.caught_error)
    47. 

  47. -    goto out;
    48. 

  48. +    if ( (dbus_call_respond_fails > 1) )
    49. 

  49. +    {
    50. 

  50. +      // we got two faults, we can leave
    51. 

  51. +      goto out;
    52. 

  52. +    }
    53. 

  53. +
    54. 

  54. +    if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid)))
    55. 

  55. +    {
    56. 

  56. +      // we got one fault and the other call finally finished, we can leave
    57. 

  57. +      goto out;
    58. 

  58. +    }
    59. 

  59. +
    60. 

  60. +    if ( !(data.retrieved_uid && data.retrieved_pid) )
    61. 

  61. +    {
    62. 

  62. +      g_main_context_iteration (tmp_context, TRUE);
    63. 

  63. +    }
    64. 

  64. +    else
    65. 

  65. +    {
    66. 

  66. +      break;
    67. 

  67. +    }
    68. 

  68. +  }
    69. 

  69.  
    70. 

  70.    if (out_uid)
    71. 

  71.      *out_uid = data.uid;
    72. 

  72.